diff -urN --exclude-from=diff-exclude linux-2.4.28-grsec/Documentation/Configure.help linux-2.4.28-grsec-port/Documentation/Configure.help
--- linux-2.4.28-grsec/Documentation/Configure.help 2005-01-24 21:21:37.000000000 +0000
+++ linux-2.4.28-grsec-port/Documentation/Configure.help 2005-01-24 21:27:07.000000000 +0000
@@ -23903,16 +23903,16 @@
NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
feature on a per file basis.
-Deny writing to /dev/kmem, /dev/mem, and /dev/port
+Deny writing to /dev/kmem and /dev/mem
CONFIG_GRKERNSEC_KMEM
If you say Y here, /dev/kmem and /dev/mem won't be allowed to
be written to via mmap or otherwise to modify the running kernel.
- /dev/port will also not be allowed to be opened. If you have module
- support disabled, enabling this will close up four ways that are
- currently used to insert malicious code into the running kernel.
- Even with all these features enabled, we still highly recommend that
- you use the RBAC system, as it is still possible for an attacker to
- modify the running kernel through privileged I/O granted by ioperm/iopl.
+ If you have module support disabled, enabling this, along with /dev/port
+ (below) will close up four ways that are currently used to insert
+ malicious code into the running kernel. Even with all these features
+ enabled, we still highly recommend that you use the RBAC system, as it
+ is still possible for an attacker to modify the running kernel
+ through privileged I/O granted by ioperm/iopl.
If you are not using XFree86, you may be able to stop this additional
case by enabling the 'Disable privileged I/O' option. Though nothing
legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
@@ -23922,6 +23922,13 @@
It is highly recommended that you say Y here if you meet all the
conditions above.
+Deny access to /dev/port
+CONFIG_GRKERNSEC_PORT
+ If you say Y here, /dev/port will not be able to be opened. This option
+ is normally used in conjunction with /dev/kmem (above). It is seperated
+ here because it breaks certain utilities (for example, kbdrate).
+ Is is highly recommended that you say Y here.
+
Disable privileged I/O
CONFIG_GRKERNSEC_IO
If you say Y here, all ioperm and iopl calls will return an error.
diff -urN --exclude-from=diff-exclude linux-2.4.28-grsec/drivers/char/mem.c linux-2.4.28-grsec-port/drivers/char/mem.c
--- linux-2.4.28-grsec/drivers/char/mem.c 2005-01-24 21:21:37.000000000 +0000
+++ linux-2.4.28-grsec-port/drivers/char/mem.c 2005-01-24 21:21:59.000000000 +0000
@@ -562,7 +562,7 @@
static int open_port(struct inode * inode, struct file * filp)
{
-#ifdef CONFIG_GRKERNSEC_KMEM
+#ifdef CONFIG_GRKERNSEC_PORT
gr_handle_open_port();
return -EPERM;
#endif
diff -urN --exclude-from=diff-exclude linux-2.4.28-grsec/grsecurity/Config.in linux-2.4.28-grsec-port/grsecurity/Config.in
--- linux-2.4.28-grsec/grsecurity/Config.in 2005-01-24 21:21:37.000000000 +0000
+++ linux-2.4.28-grsec-port/grsecurity/Config.in 2005-01-24 21:21:59.000000000 +0000
@@ -27,6 +27,7 @@
define_bool CONFIG_GRKERNSEC_CHROOT_SYSCTL n
define_bool CONFIG_GRKERNSEC_PROC_USERGROUP n
define_bool CONFIG_GRKERNSEC_KMEM n
+define_bool CONFIG_GRKERNSEC_PORT n
define_bool CONFIG_GRKERNSEC_PROC_ADD n
define_bool CONFIG_GRKERNSEC_CHROOT_CHMOD n
define_bool CONFIG_GRKERNSEC_CHROOT_NICE n
@@ -173,6 +174,7 @@
define_bool CONFIG_GRKERNSEC_PROC_USERGROUP y
define_int CONFIG_GRKERNSEC_PROC_GID 10
define_bool CONFIG_GRKERNSEC_KMEM y
+define_bool CONFIG_GRKERNSEC_PORT y
define_bool CONFIG_GRKERNSEC_RESLOG y
define_bool CONFIG_GRKERNSEC_RANDNET y
define_bool CONFIG_GRKERNSEC_RANDISN y
@@ -295,7 +297,8 @@
fi
fi
-bool 'Deny writing to /dev/kmem, /dev/mem, and /dev/port' CONFIG_GRKERNSEC_KMEM
+bool 'Deny writing to /dev/kmem and /dev/mem' CONFIG_GRKERNSEC_KMEM
+bool 'Deny access to /dev/port' CONFIG_GRKERNSEC_PORT
if [ "$CONFIG_X86" = "y" ]; then
bool 'Disable privileged I/O' CONFIG_GRKERNSEC_IO
if [ "$CONFIG_GRKERNSEC_IO" = "y" ]; then